PT-2025-53607 · Yt-Dlp+1 · Yt-Dlp+1
Pyroxenites
·
Published
2025-12-26
·
Updated
2026-03-09
·
CVE-2025-66203
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
StreamVault versions prior to 251126
Description
StreamVault is a video download integration solution. A Remote Code Execution (RCE) issue exists in the stream-vault application (SpiritApplication). The application does not properly validate administrator-configured yt-dlp arguments through the
/admin/api/saveConfig API endpoint. These arguments are stored and later used in YtDlpUtil.java when constructing the command line for executing yt-dlp. This allows for potential command execution. The vulnerable parameter is ytdlpargs.Recommendations
Versions prior to 251126 should be updated to version 251126 or later.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Streamvault
Yt-Dlp